MicroFlow Enable Data Protection Policy
1. Purpose
This Data Protection Policy outlines how MicroFlow Enable protects the data entrusted to us by our vendor and partner customers.
2. Data Controller and Processor Roles
Under applicable data protection legislation:
- Data Controller: The vendor organisation that subscribes to MicroFlow Enable and determines the purposes and means of processing learning and user data.
- Data Processor: MicroFlow by The Channel Sherpas processes data on behalf of the vendor in accordance with their instructions and this policy.
- Data Subjects: Partner users whose personal data is processed through the platform.
The organisation processes data solely for providing the MicroFlow Enable service as instructed by the data controller.
3. Security Architecture
MicroFlow Enable implements multiple layers of security:
- Encryption in transit: All data transmitted between clients and servers is encrypted using TLS 1.2 or higher.
- Encryption at rest: All database storage and file attachments are encrypted at rest using AES-256 encryption.
- Authentication: User authentication uses Supabase Auth with secure session tokens and bcrypt password hashing.
- Role-based access control (RBAC): Granular permissions restrict user access based on role (admin, manager, partner user).
- Row-level security (RLS): Database-level policies enforce tenant isolation, preventing cross-organisation data access even in the event of application-level bugs.
4. Multi-Tenant Data Isolation
As a multi-tenant platform, each vendor's data is logically isolated through:
- Tenant-scoped database queries filtered by authenticated user's organisation
- PostgreSQL Row-Level Security policies enforced at the database layer
- Separate storage paths for file attachments, scoped per content item and organisation
- API routes that validate tenant scope before data operations
5. Data Handling
5.1 Data Storage
Application data resides in a PostgreSQL database hosted by Supabase, with file attachments in Supabase Storage. All infrastructure meets secure, SOC 2 compliant data centre standards.
5.2 Data Backups
Database backups are performed automatically by our infrastructure provider. Point-in-time recovery is available for the retention period defined by the vendor's subscription tier.
5.3 Data Deletion
When a vendor terminates their subscription or requests data deletion, all associated data - including learning records, user accounts, file attachments, and audit logs - is permanently deleted within 90 days.
Vendors may request immediate deletion by contacting info@microflowenablement.com
5.4 Sub-Processors
The organisation uses:
- Supabase - Database hosting, authentication, file storage
- Vercel - Application hosting and CDN
- Resend - Transactional email delivery
Each sub-processor maintains data protection standards at least as stringent as those described in this policy.
6. Incident Response
In the event of a data breach or security incident:
- Investigation and containment occur within 24 hours of detection
- Affected data controllers (vendors) will be notified within 72 hours of confirmed breach, in compliance with GDPR Article 33.
- A full incident report is provided detailing the breach, affected data, remediation steps, and preventive measures
- Full cooperation with affected parties and supervisory authorities is guaranteed
7. Employee Access
Access to customer data by MicroFlow personnel is limited to authorised staff who require it for support, maintenance, or incident response. All access is logged and subject to audit.
8. Compliance
MicroFlow Enable supports compliance with:
- General Data Protection Regulation (GDPR)
- Australian Privacy Principles (APPs)
- Other applicable data protection legislation in customer jurisdictions
9. Policy Review
This policy is reviewed at least annually and updated as needed to reflect changes in our practices, technology, or legal requirements.
10. Contact Us
For policy questions, security concerns, or data subject rights: info@microflowenablement.com
See also the Privacy Policy for information on personal data collection and use.